The Security Operations Company Symantec On Sandboxing [updated] - Evaluate
CMA supports Windows, macOS, Linux, Android, and common document formats (Office, PDF, archives). It also includes specific IoT/ICS protocol analysis, which is uncommon among generalist sandboxes, making it viable for industrial control SOCs. 2. Detection Capabilities (The Core Function) Behavioral Analysis Quality Symantec uses a combination of dynamic analysis (process tree, registry, network connections) and kernel-level monitoring. It effectively captures typical malware behaviors: process hollowing, reflective DLL injection, and persistence mechanisms.
Executive Summary Symantec (now part of Broadcom) has integrated sandboxing as a core component of its Integrated Cyber Defense (ICD) platform, primarily via the Symantec Content and Malware Analysis (CMA) appliance and its cloud-based variant, the Malware Analysis Cloud . While Symantec was a pioneer in signature-based antivirus, its transition to dynamic, behavior-based sandboxing has been a mixed evolution. The evaluation concludes that Symantec’s sandboxing is robust for enterprise integration but lags behind best-of-breed specialists (e.g., Joe Sandbox, VMRay, CrowdStrike Falcon Sandbox) in evasion resistance and analysis depth. 1. Architecture & Deployment Strengths Deep Native Integration Unlike standalone sandbox vendors, Symantec’s strength lies in its ecosystem. CMA natively ingests files from Symantec Email Security.cloud, Web Security Service (WSS), Endpoint Protection (SEP), and Network DLP. This allows for automated, policy-driven detonation of suspicious objects without requiring third-party APIs. For a SOC team already using Symantec, this reduces friction and mean time to triage. CMA supports Windows, macOS, Linux, Android, and common
Symantec offers both on-premise CMA appliances (for air-gapped or high-latency environments) and a cloud analysis farm. The hybrid model allows sensitive files (e.g., financial, legal) to be analyzed on-prem while high-volume email/web traffic is routed to the cloud, balancing compliance with scale. While Symantec was a pioneer in signature-based antivirus,